1. Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie Mellon University ® CERT, CERT Coordination Center and Carnegie Mellon are registered in the U.S. Patent and Trademark Office Information Security For Technical Staff Module 2: Assets and Risk Management

2. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 2 Instructional Objectives Discuss the components of risk and the concepts of risk management Describe the importance of identifying and prioritizing assets Describe risk analysis techniques Identify methods of managing risks

3. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 3 Overview Define risk and recognize impact Assets, threats, vulnerabilities and safeguards Risk management, risk assessment and analysis

4. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 4 Risk Risk is the possibility of suffering a loss, destruction, modification, or denial of availability of an asset.

5. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 5 Risk Impact The nature of information and systems allows significant risks that may result in: Loss or compromise of critical information Loss or compromise of key technologies Loss of competitive position Loss of customer confidence Loss of trust in the organization’s computers/network system Loss of revenue Loss of life or property Loss due to monetary fine, law suit, or regulatory penalty

6. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 6 Understanding Risk Requires: Identifying and prioritizing assets Relating threats and vulnerabilities Performing risk analysis Recognizing risk must be managed Risk can be mitigated, but cannot be eliminated

7. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 7 Assets Assets and asset value Information Assets Other supporting assets Critical assets

8. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 8 Information Assets Information Hardware Software People

9. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 9 Other Supporting Assets Facilities Utilities Outsourced Services

10. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 10 Critical Assets Critical Assets are assets determined to have an integral relationship with the mission of the organization and its success; recognizing that each individual organization will define a different set. Examples: Intellectual property / patents / copyrights Corporate financial data Customer sales information Human resource information

11. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 11 Security Requirements Each [critical] asset has different requirements of confidentiality, integrity, and availability, that should be: Communicated Detailed Documented

12. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 12 Vulnerability: absence or weakness of a safeguard Safeguard: control or countermeasure employed to reduce risk associated with a specific threat Threat: occurrence of any event that causes an undesirable impact or loss Threats, Safeguards, and Vulnerabilities

13. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 13 Use exposure values to: Prioritize the order in which risks are addressed Help in deciding how to manage risks A new worm attacks vulnerable systems Web site defacement Datacenter flooded by fire protection system Calculating Risk Exposure

14. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 14 Calculating Risk Where Metric = $ Exposure Factor (EF) % of loss of an asset Single Loss Expectancy (SLE) EF x Value of asset in $ Annualized Rate of Occurrence (ARO) A number representing frequency of occurrence of a threat - Example: 0.0 = Never 1000 = Occurs very often Annualized Loss Expectancy (ALE) Dollar value derived from: SLE x ARO

15. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 15 Asset = Organization’s Intranet Web Server Simple Risk Assessment Matrix

16. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 16 Detailed Risk Assessment Matrix

17. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 17 Risk Management Risk Management is process used to identify, analyze, and mitigate the risk (comprised of threats, vulnerabilities, safeguards and assets); and provide strategies for sustaining the security requirements of an information asset.

18. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 18 Managing Risks Acknowledge that the risk exists, but apply no safeguard (Exposure value is within tolerance) Shift responsibility for the risk to a third party (ISP, MSSP, Insurance, etc.) Change the asset’s risk exposure (apply safeguard) Eliminate the asset’s exposure to risk, or eliminate the asset altogether Accept AvoidMitigate Transfer Risk

19. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 19 Risk Transference Issues Outsourcing Risk Trust dilemma Residual risk

20. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 20 Review Questions 1.What are the components of risk? 2.Why do we prioritize one asset over another? 3.What two properties are analyzed and calculated as part of a simple risk assessment? 4.What are a few of the items completed in a risk assessment?

21. © 2002 Carnegie Mellon University Module 2: Assets and Risk Management - slide 21 Module Summary Assets and asset value must be understood Risk can be both qualitative and quantitative Risk management Risk can be mitigated, but never eliminated